Hi, Currently ES4 allows to access from eval scripts the names introduced by the let statements and expressions. It leads to implementation complexity since the let bindings cannot be implemented as a pure compilation-time feature and the runtime must be able to expose the names for eval scripts.
Thus I suggest to consider making let bindings invisible to the eval scripts. That is, the idea is to exclude any let-induced name from the scope chain passed to the eval script. For example, given: let a; function f(b) { var c; let d; eval(eval_source); } the script from eval_source when executed would not see a and d and would be able to access/modify only b and c. This not only simplifies implementations, but would also give a possibility to prevent eval-injections from discovering the internal state of a closure as long as the closure uses let for its internal state. Although ES4 mitigates that with restrictions on the indirect eval, for compatibility implementations may be forced to support it. Regards, Igor _______________________________________________ Es4-discuss mailing list Es4-discuss@mozilla.org https://mail.mozilla.org/listinfo/es4-discuss